|
|
You can configure the Manual Key SA for VPN Clients or SonicWALL to SonicWALL VPN connections.
Note! The
SonicWALL Global VPN Client does not use Manual Key.
Select Add New SA from the Security Association menu.
Select Manual Key from the IPSec Keying Mode menu.
Enter a descriptive name that identifies the VPN client in the Name field, such as the client’s location or name.
Make sure the Disable This SA box is unchecked to enable this VPN policy.
Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length.
Alert! Each
Security Association must have unique SPIs; no two Security Associations
can share the same SPIs. However, each Security Association Incoming SPI
can be the same as the Outgoing SPI.
Select Encrypt and Authenticate (ESP 3DES HMAC MD5) from the Encryption Method menu.
Alert! It
is important to remember the Encryption Method selected as you need to select
the same parameters in the VPN Client configuration.
Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL client's encryption key, therefore, write it down to use when configuring the client.
Enter a 32 character hexadecimal authentication key in the Authentication Key field or use the default value. Write down the key to use while configuring the client settings.
Tip! Valid
hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,b, c, d, e,
and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption
key. If you enter an incorrect encryption key, an error message is displayed
at the bottom of the browser window.
Select Use this SA as the default route for all Internet traffic if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this feature. If you do not select this feature, go to Step 10.
Click Add New Network to enter the destination network addresses. Clicking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window.
Enter "0.0.0.0" in the Range Start, Range End, and Destination Subnet Mask for NetBIOS broadcast fields.
Click Update to add the remote network and close the VPN Destination Network window. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs is creating corresponding Security Associations (SAs). The instructions below describe how to create an SA using Manual Key followed by an example illustrating a VPN tunnel between two SonicWALLs.
Select -Add New SA- from the Security Association menu.
Select Manual Key from the IPSec Keying Mode menu.
Enter a descriptive name for the Security Association, such as "Chicago Office" or "Remote Management", in the Name field.
Enter the IP address of the remote VPN gateway in the IPSec Gateway Address field. This must be a valid IP address and is the remote VPN gateway NAT Public Address if NAT is enabled. Enter "0.0.0.0" if the remote VPN gateway has a dynamic IP address.
Define an SPI (Security Parameter Index) that t!he remote SonicWALL uses to identify the Security Association in the Incoming SPI field.
Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field. SPIs should range from 3 to 8 characters in length and include only hexadecimal characters.
Alert! Each
Security Association must have unique SPIs; no two Security Associations
can share the same SPIs. However, each Security Association Incoming SPI
can be the same as the Outgoing SPI.
Select an encryption algorithm from the Encryption Method menu. Enter a 16-character hexadecimal key in the Encryption Key field if you are using DES or ARCFour encryption. Enter a 48-character hexadecimal key if you are using Triple DES encryption. This encryption key must match the remote SonicWALL's encryption key.
When a new SA is created, a 48-character key is automatically generated in the Encryption Key field. This can be used as a valid key for Triple DES. If this key is used, it must also be entered in the Encryption Key field in the remote SonicWALL. If Tunnel Only (ESP NULL) or Authenticate (AH MD5) is used, the Encryption Key field is ignored.
Enter a 32-character, hexadecimal key in the Authentication Key field.
When a new SA is created, a 32-character key is automatically generated in the Authentication Key field. This key can be used as a valid key. If this key is used, it must also be entered in the Authentication Key field in the remote SonicWALL. If authentication is not used, this field is ignored.
Click Add New Network to enter the destination network addresses. Clicking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window.
Enter the beginning IP address of the remote network address range in the Range Start field. If NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to accept all remote SonicWALLs with matching encryption and authentication keys.
Enter the ending IP address of the remote network's address range in the Range End field. If NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to accept all remote SonicWALLs with matching encryption and authentication keys.
Enter the remote network subnet mask in the Destination Subnet Mask for NetBIOS broadcast field if Enable Windows Networking (NetBIOS) Broadcast is selected. Otherwise, enter "0.0.0.0" in the field.
Click Update to add the remote network and close the VPN Destination Network window. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of VPN clients - All VPN clients will be authenticated via XAUTH using the authentication service specified on the Access>Users page.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Click OK to close the Advanced Settings window.
Click Update to update the SonicWALL.
To configure the second SonicWALL appliance, follow the same configuration steps as the first SonicWALL. You must enter the same SPIs and Encryption keys as the first SonicWALL appliance into the settings of the second SonicWALL appliance.
Widgit, Inc. wants to connect their main office with a branch office on the East Coast. Using a SonicWALL PRO 300 and a TELE3, they can configure a secure VPN tunnel between the two sites. The main office has the following network settings:
SonicWALL LAN IP address - 192.168.11.1
LAN subnet mask - 255.255.255.0
WAN router address - 209.33.22.1
SonicWALL WAN IP address - 209.33.22.2
WAN subnet mask - 255.255.255.224
The remote office has the following network settings:
SonicWALL LAN IP address - 192.168.22.222
LAN subnet mask - 255.255.255.0
WAN router address - 207.66.55.129
SonicWALL WAN IP address - 207.66.55.130
WAN subnet mask - 255.255.255.248
To configure the main office PRO 300, use the following steps:
Configure the network settings for the firewall using the Network tab located in the General section.
Click Update and restart the SonicWALL if necessary.
Click VPN, then the Configure tab.
Create a name for the main office SA, for example, Main Office.
Enter the remote office WAN IP address for the IPSec Gateway Address.
Create an Incoming SPI using alphanumeric characters.
Create an Outgoing SPI using alphanumeric characters.
Select Strong Encrypt (ESP 3DES) as the Encryption Method.
Write the Encryption Key down or use cut and paste to copy it to a Notepad window.
Click Add New Network. Enter the IP address, “192.168.22.1” in the Range Start field. Enter the IP address, “192.168.22.254” in the Range End field. This Range End value is appropriate even if NetBIOS broadcast support is enabled. Leave the subnet mask field blank.
Click Update.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of VPN clients - All VPN clients will be authenticated via XAUTH using the authentication service specified on the Access>Users page.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Click OK, and then click Update.
To configure the remote SonicWALL, use the following steps:
Configure the network settings for the firewall using the Network tab located in the General section.
Click Update and restart the SonicWALL if necessary.
Click VPN, then the Configure tab.
Create a name for the remote office SA, for example, Remote Office.
Enter the main office WAN IP address for the IPSec Gateway Address.
Enter the Outgoing SPI of the main office in the Incoming SPI field.
Enter the Incoming SPI of the main office in the Outgoing SPI field.
Select Strong Encrypt (ESP 3DES) as the Encryption Method.
Enter the Encryption Key from the Main Office configuration.
Click Add New Network. Enter the IP address, “192.168.11.1” in the Range Start field. Enter the IP address, “192.168.11.254” in the Range End field. This Range End value is appropriate even if NetBIOS broadcast support is enabled. Leave the subnet mask field blank.
Click Update.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of VPN clients - All VPN clients will be authenticated via XAUTH using the authentication service specified on the Access>Users page.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Click OK, then click Update.